From owner-freebsd-questions Sun Dec 30 15:22:27 2001 Delivered-To: freebsd-questions@freebsd.org Received: from smtp-2.enteract.com (smtp-2.enteract.com [207.229.143.4]) by hub.freebsd.org (Postfix) with ESMTP id 4388F37B417 for ; Sun, 30 Dec 2001 15:22:24 -0800 (PST) Received: from jamestown.21stcentury.net (24-148-18-116.na.21stcentury.net [24.148.18.116]) by smtp-2.enteract.com (Postfix) with ESMTP id CA5E76CAE; Sun, 30 Dec 2001 17:22:23 -0600 (CST) Received: (from jtm@localhost) by jamestown.21stcentury.net (8.11.6/8.11.3) id fBUNMO509508; Sun, 30 Dec 2001 17:22:25 -0600 (CST) (envelope-from jtm63@enteract.com) X-Authentication-Warning: jamestown.21stcentury.net: jtm set sender to jtm63@enteract.com using -f To: "Joe & Fhe Barbish" Cc: "FBSD Questions" Subject: Re: IPFW Security log? References: From: James McNaughton Date: 30 Dec 2001 17:22:22 -0600 In-Reply-To: Message-ID: <86pu4w5m4x.fsf@jamestown.21stcentury.net> Lines: 59 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG "Joe & Fhe Barbish" writes: > In my security log is see the following messages. I take it the 3300 is > the rule line that generated the message. As you ca see rule 3300 does not > have log option why is it being logged? I get a whole lot of these. > > Rule 5000 is just like the default rule, but I added log so I can see > what is happening. I also have a lot of these. I have log limit set > to 50 so my log is not flooded. > I am using natd and 3300 is before the divert rule. > 63.70.155.x is my ISP's dynamic address pool > > Is this attack traffic? > > > /kernel: ipfw: 3300 Deny TCP 24.100.248.201:4957 63.70.155.125:21 in via > tun0 > /kernel: ipfw: 3300 Deny TCP 61.13.119.100:1209 63.70.155.125:22 in via tun0 > /kernel: ipfw: 3300 Deny TCP 61.13.119.100:1209 63.70.155.125:22 in via tun0 > /kernel: ipfw: 5000 Deny UDP 208.206.15.4:520 63.70.155.114:520 in via tun0 > It could be someone scanning your ports or trying to get ftp access to your machine (the port 21) or ssh access (port 22). In the past there were known vulnerabilities on some OS's for these services and it seems script-kiddies keep trying them. AFAIK, the daemons have been fixed in FreeBSD for known exploits. Since your firewall is catching these probes they're probably nothing to get excited about. However, the rule number from your rc.firewall excerpt doesn't seem to be matching up with the network address from the log. Maybe you could double check rc.firewall to make certain your rule numbers don't have a duplicate and that you're really using that set of rules (e.g. rc.conf is defining the desired value for firewall_type and it matches the section of rc.firewall that you customized). BTW, it is unecessary to define the rule numbers. As long as the rules are added in the proper order the rule numbers auto-increment and everything works out OK. It's not "wrong" to use the numbers, but it does add another point of failure in the ipf setup. > > > # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, > # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) > # on the outside interface > ${fwcmd} add 03300 deny ip from 0.0.0.0/8 to any via ${oif} > ${fwcmd} add 03400 deny ip from 169.254.0.0/16 to any via ${oif} > ${fwcmd} add 03500 deny ip from 192.0.2.0/24 to any via ${oif} > ${fwcmd} add 03600 deny ip from 224.0.0.0/4 to any via ${oif} > ${fwcmd} add 03700 deny ip from 240.0.0.0/4 to any via ${oif} > > # Everything else is denied by default so I added this to log all defaulted > denies. > ${fwcmd} add 05000 deny log logamount 50 ip from any to any > Best wishes... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message